Trojan Horses and Viruses
Trojan Horses and Viruses
Copyright(c) Management Analytics, 1995 - All Rights Reserved
Copyright(c), 1990, 1995 Dr. Frederick B. Cohen - All Rights Reserved
Problem:
Trojan horses in the search path are very easy to implement in
UNIX, primarily because of the search mechanism used to find an
executable program. Each directory in the path is examined for each
program called. If a Trojan horse appears earlier in the path than
the desired program, the Trojan horse is run instead of the legitimate
program. A programmer can easily design the Trojan horse so that the
legitimate program is executed after the Trojan horse, and thus hide the
new function from the unsuspecting user.
Prevention:
Trojan horses can be prevented by sound change control (a system
which controls the programs entering the environment), but this doesn't
work well under UNIX because users tend to make changes and use programs
belonging to other users.
Detection:
Trojan horses placed in the path can be detected by integrity
shells, which can automatically and transparently prevent running this
sort of Trojan horse.
Cure:
Once a Trojan horse in the path is found, it is usually easy
to remove by deleting the offending program and (if appropriate)
replacing it with a clean copy. You should also try to find the user
who placed the Trojan horse (perhaps by looking at the owner of the
file). Be careful, it is easy to use a Trojan horse to forge another
user's Uid on a second Trojan horse, and thus misdirect the defender.
Problem:
Trojan horses can also be used to spoof terminal login sessions.
The attacker need only simulate the normal login sequence (which can be
done in a few lines in Sh) and save a copy of the Uid and password in
a file.
Prevention:
Spoofing like this can be prevented by providing a `secure' path
between the user and the operating system, but no such facility is normally
provided with UNIX.
Detection:
To detect spoofing, you can look for terminals without users on
them which have processes active. Another common detection method is to
look for processes on terminals that haven't had any IO for a long
period of time (although this is inappropriate in some environments.
Cure:
Eliminating a spoofing program of this sort involves killing the
process currently spoofing a login, identifying the perpetrator, and
acting appropriately to prevent further attacks.
Problem:
Viruses can be used to spread an attack throughout a system or
network. A virus works by replicating inside programs. Each `infected'
program then spreads the virus further. The UNIX protection mechanisms
are inadequate for virus defense.
Prevention:
Viruses cannot be completely prevented under UNIX or any other
modern operating system except by eliminating sharing, or eliminating
programming. This is almost never feasible in a modern UNIX system.
Detection:
Viruses can reliably be detected by using an integrity shell instead
of the normal UNIX shell. Integrity shells for UNIX have been in use
for several years, and work transparently to the normal user.
Cure:
Viruses are best cured with on-line backups which automate the
restoration of corrupted information under an integrity shell. Off-line
backups are also effective in many cases, as long as good detection is in
place. Without good detection, backups are ineffective against viruses.
Problem:
Trojan horses can often be placed in libraries or other commonly
used areas. By placing a Trojan horse in a library, it gets
incorporated with legitimate programs compiled by other users.
Prevention:
Publicly accessible common use libraries should not be permitted
in most computing environments. A better approach is to use sound change
control and have a library administrator who is in charge of examining
source code and compiling all information placed in libraries.
Detection:
There is no sound way to detect a Trojan horse in a library file
except by examining every instruction in the file.
Cure:
Once detected, libraries can usually be cleaned by replacing all
of the corrupt files with legitimate copies. Without good detection, cure
is infeasible.